Hi All

I just got Fibre connected at my home and can't seem to find a router that can handle 200/200 mbps VPN encryption. According to speed tests I consistently get 200/200 but when I enable VPN Client mode on my ASUS RT-AC66U, it maxes out at 10/10. I tried the same VPN on my iPhone 6s and got 80/35 so I am pretty sure it isn't the VPN that is the bottle neck. It is most likely the CPU on the VPN device doing the encryption.

I have asked around and it has been suggested the Mikrotik Cloud Core Router is the way to go, but I am not sure which one can do 200/200 and also how would I go about setting up VPN Client mode on it (eg. login with VPN provider username/password or load the OpenVPN file into it, and then it encrypts all incoming/outgoing traffc). Would love to hear any advice or any links that could give me more info. Thanks!

400Mbps troughput is quite a lot. You will either need a beefy CPU or SSL/crypto-hardware.

Not use if any of the Mikrotik's have it.

1st issue is that RouterOS only supports TCP OpenVPN, that's it. UDP is not supported in any way and they say it won't ever be.

OpenVPN? Mikrotik doesn't have one. OpenSSL is 100% CPU based and single threaded. In order to achieve what you want you will need a high-mhz CPU. X86 is really the only option. If we were talking about ipsec that would be a different story. Crypto accelerators don't help OpenSSL.

There are several cheap x86 options that will get you 100mbit+ but anything more starts to get expensive. Look into these options and then put either RouterOS x86 or something like pfsense on them. Don't forget the ram and SSD either.

http://www.amazon.com/gp/product/B01720 ... e=UTF8&me=
http://www.amazon.com/dp/B012KJFXL4/?ta ... th=1&psc=1

awesome thanks for the reply! ok so custom mini pc with routeros sounds like the way to go... does anyone have any idea how powerful a cpu is needed to get 200/200?

I've also just found this thread:
https://www.privateinternetaccess.com/f ... -speeds/p2

By the sounds of it Microtik can do OpenVpn 256-bit @ 7Gbps.. Am I missing something?

"Well I am getting a Miktotik CCR1009 now after being sold watching a friend of mine push 7Gbps over OpenVPN, comes with 9 cores and 2gb ram, SFP+ port for 10gbps and most importantly hardware encryption."

I know RouterOs only uses one cpu for VPN but surely something else must be going on to achieve those results? Another person on the same thread achieved 150mbps (the max of their line speed) so I am thinking this should easily handle 200/200.. any thoughts?

1st issue is that RouterOS only supports TCP OpenVPN, that's it. UDP is not supported in any way and they say it won't ever be.

OpenVPN? Mikrotik doesn't have one. OpenSSL is 100% CPU based and single threaded. In order to achieve what you want you will need a high-mhz CPU. X86 is really the only option. If we were talking about ipsec that would be a different story. Crypto accelerators don't help OpenSSL.

There are several cheap x86 options that will get you 100mbit+ but anything more starts to get expensive. Look into these options and then put either RouterOS x86 or something like pfsense on them. Don't forget the ram and SSD either.

http://www.amazon.com/gp/product/B01720 ... e=UTF8&me=
http://www.amazon.com/dp/B012KJFXL4/?ta ... th=1&psc=1

Do you know if RouterOS supports these products without hardware driver issue?

OpenSSL is 100% CPU based and single threaded. In order to achieve what you want you will need a high-mhz CPU. X86 is really the only option.

Not entirely true. OpenSSL can take advantage of kernel-module based crypto engines (/proc/crypto) Some ARM/MIPS hardware actually has crypto offload hardware that interfaces with the kernel.

https://access.redhat.com/documentation ... ngine.html

OpenSSL is 100% CPU based and single threaded. In order to achieve what you want you will need a high-mhz CPU. X86 is really the only option.

Not entirely true. OpenSSL can take advantage of kernel-module based crypto engines (/proc/crypto) Some ARM/MIPS hardware actually has crypto offload hardware that interfaces with the kernel.

https://access.redhat.com/documentation ... ngine.html

But for RouterOS, the hardware encryption engine in PowerPC and TileGX series only supports IPsec with AES-xxx-CBC.
We should ask MikroTik staff to confirm whether RouterOS x86 & x86-64 & ARM support AES-NI in IPsec, SSTP and OVPN.

Do you know if RouterOS supports these products without hardware driver issue?

The quad-nic box is a J1900 (2GHz processor) that has all intel NIC's. There is no reason RouterOS won't support everything natively. The only issue will be the disk. You will likely have to force the disk into IDE mode for RouterOS to recognize it.

OpenSSL is 100% CPU based and single threaded. In order to achieve what you want you will need a high-mhz CPU. X86 is really the only option.

Not entirely true. OpenSSL can take advantage of kernel-module based crypto engines (/proc/crypto) Some ARM/MIPS hardware actually has crypto offload hardware that interfaces with the kernel.

https://access.redhat.com/documentation ... ngine.html

You are correct that OpenSSL can take advantage of kernel-module based crypto engines, but I suppose I should have been more specific.

Although the OpenVPN OpenSSL implementation can take advantage of hardware acceleration, including ARM modules and AES-NI, it is extremely inefficient at it. The way OpenVPN handles encryption does not take well to hardware acceleration because of the actual way it handles the encryption. I don't remember how it is different that IPSEC exactly but I remember it has something to do with the way OpenSSL handles accelerators not being 100% secure.

A good example of this is the litter router I just built to run PFSense. The CPU is a Celeron N3150 which supports AES-NI. The box will route gigabit all day with no issues and run IPSEC AES-256-CBC at about 125Mbit without AES-NI enabled, OpenVPN AES-256-CBC will only push 98Mbit. Enabling AES-NI support at the kernel level brings IPSEC AES-256-CBC to 400Mbit and OpenVPN AES-256-CBC to 122Mbit.

I just built to run PFSense. The CPU is a Celeron N3150 which supports AES-NI. The box will route gigabit all day with no issues and run IPSEC AES-256-CBC at about 125Mbit without AES-NI enabled, OpenVPN AES-256-CBC will only push 98Mbit. Enabling AES-NI support at the kernel level brings IPSEC AES-256-CBC to 400Mbit and OpenVPN AES-256-CBC to 122Mbit.

That's mean IPSec always faster than OpenVPN?
And No CPU support OpenVPN acceleration ? (even x86 with AES-NI )

Which type of IPSec for this testing? L2TP/IPSec or Cisco IPsec with X-Auth?

I've also just found this thread:
https://www.privateinternetaccess.com/f ... -speeds/p2

By the sounds of it Microtik can do OpenVpn 256-bit @ 7Gbps.. Am I missing something?

"Well I am getting a Miktotik CCR1009 now after being sold watching a friend of mine push 7Gbps over OpenVPN, comes with 9 cores and 2gb ram, SFP+ port for 10gbps and most importantly hardware encryption."

I know RouterOs only uses one cpu for VPN but surely something else must be going on to achieve those results? Another person on the same thread achieved 150mbps (the max of their line speed) so I am thinking this should easily handle 200/200.. any thoughts?

7Gbps on 9core CCR with standard pacekt size sounds impossible . Either test is flawed, traffic actually does not go over the tunnel or something like that could be done with very large packets, like 10000MTU and multiple OVPN tunels to utilize every core.

Quick and dirty test with bandwidth test (1400byte packets) on single OVPN tunnel
aes-128 - 110Mbps
aes-256 - 124Mbps
blowfish - 150Mbps

That's mean IPSec always faster than OpenVPN?
And No CPU support OpenVPN acceleration ? (even x86 with AES-NI )

On routers with RouterOS Ipsec will be always faster than OVPN. HW encryption drivers are enabled only for supported RouterBOARDS, so no x86 HW support.

1st issue is that RouterOS only supports TCP OpenVPN, that's it. UDP is not supported in any way and they say it won't ever be.

not true - http://forum.mikrotik.com/viewtopic.php ... 10#p435410

beware of hardware compatibility when building a x86 mikrotik, some times is better to use virtualization to avoid hardware compatibility problems but it add another layer of complexity

the best single threaded performance per dollar is obtained with intel core i3 CPUs and pentium cheap

for example this core i3 cpu has 3.9ghz of clock cost: 170US, cheaper option cost 130US but 3.7ghz of clock

http://ark.intel.com/products/90733/Int ... e-3_90-GHz

this pentium 3.6 ghz cost 100US, cheaper option cost 90us but 3.5ghz of clock

http://ark.intel.com/products/90732/Int ... e-3_60-GHz

I've also just found this thread:
https://www.privateinternetaccess.com/f ... -speeds/p2

By the sounds of it Microtik can do OpenVpn 256-bit @ 7Gbps.. Am I missing something?

"Well I am getting a Miktotik CCR1009 now after being sold watching a friend of mine push 7Gbps over OpenVPN, comes with 9 cores and 2gb ram, SFP+ port for 10gbps and most importantly hardware encryption."

I know RouterOs only uses one cpu for VPN but surely something else must be going on to achieve those results? Another person on the same thread achieved 150mbps (the max of their line speed) so I am thinking this should easily handle 200/200.. any thoughts?

7Gbps on 9core CCR with standard pacekt size sounds impossible . Either test is flawed, traffic actually does not go over the tunnel or something like that could be done with very large packets, like 10000MTU and multiple OVPN tunels to utilize every core.

Quick and dirty test with bandwidth test (1400byte packets) on single OVPN tunnel
aes-128 - 110Mbps
aes-256 - 124Mbps
blowfish - 150Mbps

That's mean IPSec always faster than OpenVPN?
And No CPU support OpenVPN acceleration ? (even x86 with AES-NI )

On routers with RouterOS Ipsec will be always faster than OVPN. HW encryption drivers are enabled only for supported RouterBOARDS, so no x86 HW support.

Will RouterOS benefit from the new instruction set such as AES-NI and AVX?
AES-NI was already supported by OpenSSL several years ago.

Another question is whether HW encryption on PowerPC/Tile-GX supports encryption methods other than AES-xxx-CBC such as CTR and GCM?

Refer to FortiGate/FortiWiFi 30D Series.
http://www.fortinet.com/sites/default/f ... te-30D.pdf

There can provide 350Mbps for IPsec VPN Throughput (512 byte packets), but only provide 25Mbps for SSL-VPN Throughput.

why huge difference ?